Tsatanetsatane wa chiwopsezo (CVE-2022-0492) pakukhazikitsa kwa cgroups v1 resource limitation mechanism mu Linux kernel, yomwe ingagwiritsidwe ntchito kuthawa zotengera zakutali, zawululidwa. Vutoli lidakhalapo kuyambira Linux kernel 2.6.24 ndipo idakhazikitsidwa mu kernel kutulutsa 5.16.12, 5.15.26, 5.10.97, 5.4.177, 4.19.229, 4.14.266, ndi 4.9.301. Mutha kutsata zofalitsa zosintha pamaphukusi pamagawo awa: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Kusatetezekaku kudachitika chifukwa cha cholakwika cham'mafayilo a release_agent omwe amalephera kuyang'ana moyenera poyendetsa chowongolera ndi mwayi wonse. Fayilo ya release_agent imagwiritsidwa ntchito kufotokozera pulogalamu yomwe iyenera kuchitidwa ndi kernel pamene ndondomeko ya gulu yatha. Pulogalamuyi imayenda ngati muzu komanso ndi "mphamvu" zonse muzamasamba. Zinkaganiziridwa kuti ndi woyang'anira yekha yemwe ali ndi mwayi wofikira ku release_agent, koma kwenikweni machekewo anali ochepa chabe popereka mwayi kwa wogwiritsa ntchito mizu, zomwe sizimapatula kusinthidwa kuchokera ku chidebe kapena ndi mizu yopanda ufulu wa woyang'anira (CAP_SYS_ADMIN ).
M'mbuyomu, mawonekedwe otere sakanawonedwa ngati osatetezeka, koma zinthu zasintha ndikubwera kwa malo ogwiritsira ntchito (malo ogwiritsira ntchito), omwe amakulolani kuti mupange ogwiritsa ntchito osiyana muzotengera zomwe sizimalumikizana ndi mizu ya ogwiritsa ntchito. chilengedwe chachikulu. Chifukwa chake, pakuwukira, ndikokwanira kulumikiza chogwirizira chanu chomasulidwa_chothandizira mu chidebe chomwe chili ndi mizu yake pamalo osiyana a ID, omwe, akamaliza ntchitoyi, adzachitidwa ndi mwayi wonse wa chilengedwe chachikulu.
Mwachikhazikitso, cgroupfs imayikidwa mu chidebe mumayendedwe owerengera okha, koma palibe vuto kuyikanso pseudofs mumayendedwe olembera ngati muli ndi ufulu wa CAP_SYS_ADMIN kapena popanga chidebe chokhala ndi malo ogwiritsira ntchito osiyana pogwiritsa ntchito kuyimba kwa makina osagawana, momwe Ufulu wa CAP_SYS_ADMIN ulipo pazotengera zomwe zapangidwa.
Kuwukirako kutha kuchitidwa ngati muli ndi mwayi wokhala mu chidebe chakutali kapena mukamayendetsa chidebe popanda no_new_privs mbendera, zomwe zimaletsa kupeza mwayi wowonjezera. Dongosololi liyenera kukhala ndi chithandizo chamalo ogwiritsira ntchito omwe athandizidwa (othandizidwa mwachisawawa mu Ubuntu ndi Fedora, koma osatsegulidwa mu Debian ndi RHEL) ndikukhala ndi mwayi wofikira gulu la mizu v1 (mwachitsanzo, Docker amayendetsa zotengera muzu wa RDMA gulu). Kuwukirako kumathekanso ngati muli ndi mwayi wa CAP_SYS_ADMIN, momwemo kuthandizira kwa malo ogwiritsira ntchito ndi mwayi wopita ku cgroup v1 root hierarchy sikufunika.
Kuphatikiza pa kuthawa pachidebe chakutali, kusatetezeka kumalolanso njira zokhazikitsidwa ndi wogwiritsa ntchito mizu popanda "luso" kapena wogwiritsa ntchito aliyense yemwe ali ndi ufulu wa CAP_DAC_OVERRIDE (kuukira kumafuna mwayi wopeza fayilo /sys/fs/cgroup/*/release_agent, yomwe ndi zokhala ndi mizu) kuti mupeze mwayi wopezeka ku "maluso" onse adongosolo.
Zimadziwika kuti chiwopsezochi sichingagwiritsidwe ntchito ngati mukugwiritsa ntchito njira zodzitetezera za Seccomp, AppArmor kapena SELinux pakudzipatula kwina kwa zotengera, popeza Seccomp imaletsa mwayi wofikira ku unshare() kuyimba kwadongosolo, ndipo AppArmor ndi SELinux samalola kukwera ma cgroupf mumachitidwe olembera.
Source: opennet.ru